基于多重异质图的恶意软件相似性度量方法  被引量：3

作　　者：谷勇浩[1,2,3] 王翼翡 刘威歆 吴铁军 孟国柱 GU Yong-Hao;WANG Yi-Fei;LIU Wei-Xin;WU Tie-Jun;MENG Guo-Zhu(Beijing Key Laboratory of Intelligent Telecommunications Software and Multimedia(Beijing University of Posts and Telecommunications),Beijing 100876,China;School of Computer Science,Beijing University of Posts and Telecommunications,Beijing 100876,China;Guangdong Provincial Key Laboratory of Information Security Technology(Sun Yat-sen University),Guangzhou 510006,China;Nsfocus Technologies Group Co.Ltd.,Beijing 100089,China;State Key Laboratory of Information Security(Institute of Information Engineering,Chinese Academy of Sciences),Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China)

机构地区：[1]智能通信软件与多媒体北京市重点实验室(北京邮电大学),北京100876 [2]北京邮电大学计算机学院,北京100876 [3]广东省信息安全技术重点实验室(中山大学),广东广州510006 [4]绿盟科技集团股份有限公司,北京100089 [5]信息安全国家重点实验室(中国科学院信息工程研究所),北京100093 [6]中国科学院大学网络空间安全学院,北京100049

出　　处：《软件学报》2023年第7期3188-3205,共18页Journal of Software

基　　金：北京邮电大学中央高校基本科研业务费行动计划(2021XD-A11-1);国家自然科学基金(U20B2045,U1936216);广东省信息安全技术重点实验室开放基金(2020B1212060078)。

摘　　要：现有恶意软件相似性度量易受混淆技术影响,同时缺少恶意软件间复杂关系的表征能力,提出一种基于多重异质图的恶意软件相似性度量方法RG-MHPE(API relation graph enhanced multiple heterogeneous ProxEmbed)解决上述问题.方法首先利用恶意软件动静态特征构建多重异质图,然后提出基于关系路径的增强型邻近嵌入方法,解决邻近嵌入无法应用于多重异质图相似性度量的问题.此外,从MSDN网站的API文档中提取知识,构建API关系图,学习Windows API间的相似关系,有效减缓相似性度量模型老化速度.最后,通过对比实验验证所提方法RG-MHPE在相似性度量性能和模型抗老化能力等方面表现最好.Existing malware similarity measurement methods cannot accommodate code obfuscation technology and lack the ability to model the complex relationships between malware.This study proposes a malware similarity measurement method called API relation graph enhanced multiple heterogeneous proxembed(RG-MHPE)based on multiplex heterogeneous graph to solve the above problems.This method first uses the dynamic and static feature of malware to construct the multiplex heterogeneous graph and then proposes an enhanced proximity embedding method based on relational paths to solve the problem that proximity embedding cannot be applied to the similarity measurement of the multiplex heterogeneous graph.In addition,this study extracts knowledge from API documents on the MSDN website,builds an API relation graph,learns the similarity between Windows APIs,and effectively slows down the aging speed of similarity measurement models.Finally,the experimental results show that RG-MHPE has the best performance in similarity measurement performance and model anti-aging ability.

关 键 词：恶意软件相似性 多重异质图 邻近嵌入 API关系图 模型老化 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]